An MTBDD-based Implementation of Forward Reachability for Probabilistic Timed Automata

Transcription

1 An MTBDD-based Implementation of Forward Reachability for Probabilistic Timed Automata Fuzhi Wang and Marta Kwiatkowska School of Computer Science, University of Birmingham, Birmingham B15 2TT, United Kingdom {F.Wang, Abstract. Multi-Terminal Binary Decision Diagrams (MTBDDs) have been successfully applied in symbolic model checking of probabilistic systems. In this paper we propose an encoding method for Probabilistic Timed Automata (PTA) based on MTBDDs. The timing information is encoded via placeholders stored in the MTBDDs that are independent of how the timing information is represented. Using the Colorado University Decision Diagrams (CUDD) package, an experimental model checker is implemented, which supports probabilistic reachability model checking via the forward algorithm. We use Difference Bound Matrices (DBMs) and Difference Decision Diagrams (DDDs) for representing timing information and present experimental results on three case studies. Our key contribution is a general placeholder encoding method for Probabilistic Timed Automata and an experimental MTBDD-based model checker which has been partly integrated with PRISM. This is the first symbolic implementation of the forward probabilistic reachability algorithm. 1 Introduction Binary Decision Diagrams (BDDs) [7] are the main data structure used in symbolic model model checking. Their success relies on the ability of BDD-like data structures to compactly represent both sets of states and the transition relation between these states. BDDs, however, cannot represent quantitative information. Recently, Multi-Terminal Decision Diagrams (MTBDDs) [8] have been successfully applied in the verification of probabilistic systems [10, 12], and various extensions, Difference Decision Diagrams (DDDs) [17], Clock Difference Diagrams (CDDs) [2] and Clock-Restriction Diagram (CRDs) [20], have been proposed for use in symbolic verification of real-time systems. However, no symbolic data structure exists for the verification of probabilistic real-time systems modelled as Probabilistic Timed Automata (PTA) [14], which contain both real-time clocks and probabilistic information. Probabilistic timed automata are a natural model for randomised distributed algorithms that use timing delays, and a number of models of such algorithms have been developed. The subclass of probabilistic timed automata with digital clocks [13] can be modelled and verified directly using the PRISM model checker [1]. For PTAs that do not comply with this

2 restriction, currently two, non-symbolic, methods are supported: via the forward exploration algorithm of [14] using the KRONOS to PRISM connection [9], or forward/backward using the experimental implementation of [16]. Both these methods are based on a translation into the textual modelling language of PRISM, and are therefore rather involved. In this paper, we investigate a fully symbolic implementation of model checking for probabilistic timed automata. We propose an MTBDD-based placeholder encoding method for representing probabilistic timed automata which is independent of the data structure used to represent timing information. The advantage of our proposal is that the method is general: firstly, other data structures for representing timing information could also be integrated with this encoding method; secondly, both forward and backward analysis can be supported. The main difficulty for the fully symbolic approach is that the state space is not known in advance, since the states are extracted dynamically via forward/backward exploration, in contrast to symbolic model checking for probabilistic systems where the size of the state space can be deduced from the syntactic model description. Using the CUDD package [19] an experimental tool has been implemented and partly integrated within PRISM. We report on the performance of our implementation of the forward probabilistic reachability algorithm on three case studies. This is the first fully symbolic implementation of the forward probabilistic reachability for probabilistic timed automata originally proposed in [14]. Related Work. The most commonly used data structure for representing timing information in real-time verification tools [6, 3] is Difference Bound Matrices (DBMs) [4]. A number of BDD-like data structures, e.g. CDDs [2], DDDs [17] and CRDs [20], have been proposed for use in verifying real-time systems, but not yet extended to the probabilistic case. MTBDDs have been successfully applied in model checking of probabilistic systems, and also probabilistic timed automata and timed systems with digital clocks [12], but not in the case of the full class of PTAs. Recently, MTBDDs have also been applied to real-time systems [18]. Although the approach in [18] uses a single data structure (MTBDDs) to represent both timing and discrete information in order to leverage well-known techniques for BDDs or MTBDDs, it involves SAT-based analysis. There are two, non-symbolic, methods for dense-time probabilistic timed automata: via the forward exploration algorithm implemented in [9], or forward/backward using the experimental implementation of [16]. The forward method is not guaranteed to produce exact reachability probabilities [14], but only requires simple operations; on the other hand, backward analysis can produce exact probabilities but at a cost of higher computational complexity. The method of [9], which combines KRONOS [6] and PRISM [1] to verify the IEEE Root Contention Protocol, requires three steps: firstly, a set of states reachable from the source state before the deadline is calculated using KRONOS [6]; secondly, the result is translated into a PRISM model description which is input into PRISM and, finally, probabilistic analysis is performed. This method is not efficient because it can generate large files that have to be parsed by PRISM. Our experimental implementation of [16] suffers from the same problem, as it

3 performs a translation into the PRISM modelling language. In this paper we propose a general MTBDD-based encoding scheme that can deal with both forward and backward analysis in a single step, thus avoiding the expensive translation at the level of text. 2 The Symbolic Encoding Method 2.1 Syntax of Probabilistic Timed Automata Let R be the time domain of the non-negative reals and N the natural numbers. We assume a given finite set X of clocks, variables x X that take values from the time domain R. A point ν R X is referred to as a clock valuation, with 0 R X the valuation that assigns 0 to all clocks in X. We use ν[x := d] to denote the clock valuation obtained from ν by resetting all of the clocks in X X to d, where d is a natural number or zero with the value of the remaining clocks unaffected. A zone of X, written ζ, is a subset of the valuation space R X described by a conjunction of constraints. Formally, for a given set of clocks X, a zone ζ is defined by the following syntax: ζ ::= x c x y c ζ ζ ζ where x, y X, c N and {, <, >, }. The set of zones of X is denoted by Zones(X ) for a given set of clocks X. Below we review the definition of probabilistic timed automata [14]. Definition 1. A probabilistic timed automaton (PTA) is a tuple = (L, X, L, inv, prob) where: L is a finite set of locations; the function inv : L Zones(X ) is the invariant condition; the finite set prob L Zones(X ) Dist(2 X L) is the probabilistic edge relation; L : L 2 AP is a labelling function assigning atomic propositions to locations. A state of a probabilistic timed automaton is a pair (l, ν) where l L and ν R X are such that ν inv(l). The invariant condition describes the set of admissible states. Transitions are probabilistic edges (l, g, p) prob where l is the source location, g is the enabling guard and p the probability distribution on target locations, together with the set of clocks to be reset as the edge is taken. It is more convenient to treat an edge of a PTA as a tuple (n, l, inv(l), l, inv(l ), g, X, p) where n is the non-deterministic choice between simultaneously enabled distributions, coded as a natural number, such that (l, g, p) prob and p(x, l ) > 0. Such a tuple contains sufficient information for making a transition, and will be directly used in our encoding method.

4 2.2 Multi-Terminal Binary Decision Diagrams (MTBDDs) MTBDDs [8] are an extension of BDDs [7] which allow one to represent functions over Boolean vectors that can take any value, not just 0 or 1. In other words, BDDs can have only two terminals, while MTBDDs can have more than two terminals. An MTBDD is a Directed Acyclic Graph (DAG) whose vertices, as for BDDs, are called nodes. There are two kinds of nodes in an MTBDD, non-terminal and terminal. Like in a BDD, a non-terminal node is labelled with a single variable and each non-terminal node has exactly two children. However, unlike BDDs, the terminal node which has no children is labelled by a real number. MTBDDs can be reduced to the canonical form by imposing an ordering of the variables. However, similarly to BDDs, the size of the MTBDDs is extremely sensitive to the ordering of its variables. Probabilistic systems, for example, Markov Decision Processes (MDPs) that are induced from PTAs, are described in terms of probability matrices, and their analysis involves numerical computation such as solving a linear equation system or (as is the case with MDPs) a linear programming problem. MTBDDs can represent both probability vectors and matrices, and can therefore serve as a symbolic representation for probabilistic systems. Given a real-valued vector of length 2 n, an MTBDD encoding can be obtained by mapping to reals from vector s indices which are encoded into n Boolean variables. As far as numerical computation is concerned, MTBDDs support methods for implementing standard matrix operations, such as scalar multiplication, matrix addition and matrix multiplication. 2.3 Representations for Zones DBMs. Difference Bound Matrices (DBMs) are data structures that can efficiently represent sets of adjacent regions (convex union of adjacent regions which is also called a zone). Non-convex zones are represented as lists of DBMs. A DBM is a square matrix whose elements represent bounds on the difference between two clock values. For a set of n clocks {x 1,..., x n }, and by using a special clock x 0 whose value is always zero, the constraints over these clocks can be encoded as a (n + 1) (n + 1) square matrix D whose indices range over the interval [0..n] and whose elements belong to N {<, }, where N = N {0, }. DDDs. Difference Decision Diagrams (DDDs) are designed for representing both convex and non-convex unions of zones, which are called Difference Constraint Expressions (DCE) in DDDs. DDDs are a BDD-like data-structure. Like a BDD, a difference decision diagram is also a DAG whose vertex set contains two terminals 0 and 1, and a set of non-terminal vertices, each with two children. A non-terminal vertex v corresponds to an integer- or real-valued difference constraint between two clocks. A path in a DDD is a finite sequence of edges, and it corresponds to a conjunction of difference constraints that is called a Difference Constraint System (DCS) in DDD. In contrast to BDDs, the same pair of clocks can appear more than once along a path in a DDD. A DCS corresponds to a DBM. DDDs contain DBMs as a special case. A path that ends with true or

5 false is called a 1-path or 0-path respectively. A path p is feasible if and only if the corresponding DCS has a solution. If the Difference Constraint System has no solution, the path is infeasible. Unlike in BDDs, both 0- and 1-paths can be feasible or infeasible because the difference constraints can interact with each other along the path. 2.4 Encoding Probabilistic Timed Transitions MTBDDs have been successfully applied for symbolic model checking of untimed probabilistic systems [1, 12], and specifically Markov Decision Processes (MDPs) which arise as the representation of the PTAs. The method relies on encoding sets of states as BDDs and the (probabilistic) transition relation between these states using MTBDDs, which can be done compactly if there is sufficient regularity in the model. For finite untimed probabilistic systems the potential state space is known in advance of constructing the symbolic representation of the model, as it can be deduced from the syntactic model description. This fact is exploited when formulating heuristics that determine BDD variable ordering, a good choice of which is essential to guarantee a compact model representation. The difficulty with model checking of PTAs is that the size of the state space is unknown beforehand, and states (location-zone pairs) are generated dynamically through the process of exploration of the zone graph using timed predecessor or successor operations. The resulting symbolic representation has to be amenable to such dynamic manipulation of the state space which has the potential to destroy regularity. Although, if using the region graph, the size of the state space of a PTA can be established in advance of the model construction, such an approach is impractical due to the region graph being exponential in the number of clocks and the maximal constant appearing in the model. In this section we propose an encoding method for probabilistic timed automata based on MTBDDs. Below we describe how to encode the states and probabilistic edges. In this paper we focus on application of our method to forward probabilistic reachability analysis. However, it is also suitable for backward analysis. Firstly, let us consider how to encode the state space. Each state in the state space has the form of (l, ζ) where l L is the discrete part and ζ Zones(X ) is the zone. Our method is to use a Boolean vector to encode the discrete part of the pair and a separate Boolean vector for the zone part. The basic idea behind the Boolean encoding is that 2 n elements of a finite set could be encoded using n bits. For the discrete part, which is finite, the Boolean vector is further divided into several groups according the structure of the system, for example, the number of subcomponents and values of the non-clock variables following well-known heuristics established in [10, 11]. The number of zones, unfortunately, could be infinite when forward analysis is used. The technique in [4] guarantees the termination of the forward reachability search, which means that a finite set of zones could be obtained. Since the set of zones is finite, informally, we use a one-to-one function to assign a unique index to each zone and similar logarithmic encoding is applied. The invariant and the

6 guard appearing in the probabilistic transition are also zones, so a unique index value is assigned to each of them. In this paper we use a simple method for allocating indices; later, we discuss how this can be improved. Next, let us consider the probabilistic transition relation. Each probabilistic edge has the form of the tuple (n, l, inv(l), l, inv(l ), g, X, p), where n is (the encoding of) the non-deterministic choice, l and inv(l) are the current location and its invariant, l and inv(l ) are the next location and its invariant, g is the guard, X is the set of clocks to be reset and p is the probability value. The probability value is natively supported by MTBDDs. The number of nondeterministic choices in each state is finite and bounded. The maximum number of non-deterministic choices for all states is determined through parallel composition, and can therefore be encoded using the logarithmic encoding. It remains to encode the set X of clocks to be reset. There are a number of issues to consider when encoding the clock reset operation in the transition relation: Recall that each clock x X could be set to different values and not simply zero. If we encode each reset in the transition, this means we need two sets of Boolean BDD variables for it: one for the clock and the other for the value that the clock should be set to. The total number of clocks to be reset appearing in the transition could vary. Thus, we opt for a simple approach: a Boolean vector is reserved in the transition for assigning a unique index value to each distinct set X and each set X is explicitly stored as a list. Below we summarise the main issues that have to be addressed when applying our encoding method: Unlike in the case of non-probabilistic timed systems, in which the on-the-fly technique [5] could be applied to make search algorithms finish as early as possible, the forward probabilistic reachability search has to construct the whole reachable zone graph in order to obtain the probability value. The size of the state space and transitions between these states of the generated probabilistic system is uncertain before the forward/backward algorithm, which dynamically generates these states, terminates. As a result, we cannot fix the size of the vector of Boolean variables needed to encode the zone part in advance. Instead, we pre-allocate the vector based on an estimate. 2.5 Implementation Our proposed forward probabilistic reachability algorithm is given in Figure 1 in terms of MTBDD-based pseudo-code. Below we described the BDD and MTBDD operations needed for the algorithm. In the following, we assume M is an MTBDD, and x, y, z are the Boolean vectors which correspond to the MTBDD variables for row, column and non-deterministic choice in an MDP matrix. Operations and + are the MTBDD operations over the reals.

7 Operations, and \ are the BDD operations (and, or and difference) on sets. Function Threshold(M, >, 0) returns the BDD by replacing each terminal node with 1 if and only if its value is greater than 0. Function ThereExists(x, M) returns the MTBDD by deleting the nodes containing the Boolean vector x. Function ReplaceVars(M, y, x)) returns the MTBDD by replacing the Boolean vector y with x. The algorithm in Figure 1 is an MTBDD-based implementation of the algorithm of [14] with respect to our encoding. The algorithm ModelCheckingP T A accepts three parameters: the probabilistic transition relation PS P T A, which is an MTBDD-encoded representation of the syntax of the original probabilistic timed automaton, the initial set of states φ init and the set of target states φ target. Lines 1-4 deal with the initialisation: line 1 initialises the generated set of probabilistic transitions with the empty set, and lines 2-3 assign the initial set to both the front set and the reachable set. Lines 5-21 generate the finite-state graph, the edges of which are obtained in lines 8-11 by iterating timed and discrete successor operations. Each generated edge has the form of a tuple (n, l, l, ζ, ζ, p), where n is the encoding of non-deterministic choice, (l, ζ) corresponds to current symbolic state, (l, ζ ) is the next symbolic state in the generated transition, and p is the probability value. Line 6 constructs a temporary MTBDD with the information necessary for the timed and discrete successor operations by restricting to the front set: each path of the temporary MTBDD has the form of a tuple (n, l, ζ, inv(l), l, inv(l ), g, X, p), where l and l are the current and next locations, inv(l) and inv(l ) are the invariants associated with current and next location respectively, ζ is the current zone associated with current location, g is the guard, X is the set of clocks to be reset and p is the probability. Lines extract the reachable states from the generated probabilistic transition set and check whether the fixed point is reached. Line 20 adds the set of newly generated edges to the old one. Finally, in line 22, model checking is performed on the resulting finite-state probabilistic system to obtain the maximum probability of reaching the set of target locations. Lines give the MTBDD-based pseudo-code of the construction of a single probabilistic edge of the generated MDP. Line 9.1 obtains the next zone by using standard zone successor operation. Line 9.2 uses the technique in [4] to obtain the unique normal form of the next zone and adds it to the list of zones if it is a new one, and otherwise it returns the unique index to it in the list. Line 9.3 constructs and returns the probabilistic edge of the generated MDP. Remark. For the forward reachability search, each zone obtained is convex, and can be stored as a single DBM. (A convex zone in DDDs can only have one path; this is also true for CRDs or CDDs.) The operation Normalise(ζ, k) (k-normalization defined in [4]) to obtain the normal form of a zone ζ, where k is the maximal constant appearing in the model or the specification, is necessary to guarantee the termination of the forward reachability search. For DDDs, the zone can be first transformed into a DBM on which the k-normalization can be

8 applied, and then transformed back into a DDD. The case of CRDs and CDDs can be handled in a similar way. ModelCheckingP T A(PS P T A, φ init, φ target ) 1. PS MDP := 2. φ frontset := φ init 3. φ reach := φ init 4. done := false 5. while (done = false) 6. TmpPS := φ frontset PS P T A 7. T := 8. for each non-zero path oftmpps 9.1. ζ = ZoneSuccessor(l, inv(l), ζ, l, inv(l ), g, X) 9.2. ζ = AddZone(Normalise(ζ, k)) 9.3. tr = n l ζ l ζ p 10. T := T + tr 11. endfor 12. T 01 := Threshold(T, >, 0) 13. φ tmp := ThereExists(z, T 01) 14. φ tmp := ThereExists(x, φ tmp ) 15. φ tmp := ReplaceVars(φ tmp, y, x)) 16. φ reach := φ reach φ tmp 17. if (φ reach = φ reach) then done := true 18. φ frontset := φ reach \ φ reach 19. φ reach := φ reach 20. PS MDP := PS MDP + T 21. endwhile 22. return MaxP robreach(φ init, φ reach, P S MDP ) Fig. 1. The MTBDD version of the ModelCheckingP T A algorithm 2.6 Backward Adaption In this paper, we only present the application of our encoding method to forward analysis. However, it it also suitable for backward analysis. What is needed is a replacement of lines with the corresponding backward step, and initialisation with the target set instead of the initial set. 3 Experimental Results 3.1 Tool Overview Using the Colorado University Decision Diagrams (CUDD) package, a symbolic model checker has been implemented which supports forward probabilistic reachability model checking via the algorithm originally presented in [14]. This is the first symbolic implementation of the forward reachability algorithm.

9 Our tool takes as input a description of a system written in a probabilistic variant of the guarded commands language with real-time clocks (currently, the PRISM input language does not support real-time clocks). It first parses the PTA model from this description into an MTBDD, and then computes the set of probabilistically reachable states which comprise the model, which is an MDP over location-zone pairs [14]. The tool then performs model checking over this MDP in the standard way, and calculates the probability of reaching the target set to determine whether the specification is satisfied. In this tool, the model construction and reachability analysis are implemented using MTBDDs to represent both the discrete part of the state and the placeholder, reserved in the Boolean vector of the BDD variables, that represents the zone. The tool supports two kinds of representation of timing information: DBMs and DDDs. The transition relation of the PTA model is encoded within MTBDDs. Unlike untimed probabilistic model checking, the MDP model is dynamically constructed via forward searching which involves timing operations, for example, the timed successor. The generated MDP differs from the original PTA in that it represents the dynamic behaviour of the PTA, which is computed via forward exploration and dynamically filled using the placeholders reserved in the BDD vector. Although the tool currently supports only forward analysis and two kinds of representation for timing information, our encoding method is general: firstly, other data structures for representing timing information could be integrated; secondly, backward reachability analysis is also suitable for this encoding. 3.2 Case Studies We present experimental results based on three case studies: the IEEE 1394 FireWire root contention protocol, the IEEE CSMA/CD (Carrier Sense, Multiple Access with Collision Detection) protocol and Milner s scheduler. The models for FireWire and CSMA/CD are the same as those used in [16]. The model for Milner s scheduler is that used in [17] with only one clock. In the tables, - denotes that the data is not available. We omit the probability values since they all agree with those calculated previously by other methods. The results obtained from verifying the abstract and the full models of Firewire root contention protocol [15] are shown in Table 1 and Table 2. The property verified is the minimum probability that, from the initial state, a leader (root) is chosen before the deadline is reached. Table 5 and Table 6 show the memory consumption. Table 3 and Table 4 include results for the CSMA/CD protocol when computing the maximum and minimum probability of both stations correctly delivering their packets by the deadline D. Table 7 and Table 8 show the memory consumption. Table 9 shows the result of verifying Milner s scheduler when computing the maximum probability of any two cyclers being in the critical section at the same time. To evaluate our encoding method, we also implemented an explicit version of the data structure which stores explicitly the discrete part of the symbolic states.

10 Table 1. Verification of the abstract model I p 1 with wire delay set to 360 ns Deadline States Time(Explicit) Time(Symbolic) MTBDD/DDD MTBDD/DBM Forward Construct. M.C. S.F.C. M.C. S.F.C. M.C Table 2. Verification of the full model Impl p with wire delay set to 360 ns Deadline States Time(Explicit) Time(Symbolic) MTBDD/DDD MTBDD/DBM Forward Construct. M.C. S.F.C. M.C. S.F.C. M.C Performance. In tables [1-4], the term Explicit refers to the explicit version and MTBDD/DDD refers to the version which uses MTBDDs for encoding the discrete part and DDDs for timing information; MTBDD/DBM refers to the version which differs from the MTBDD/DDD by using DBMs instead of DDDs. However, in order to model check certain properties, the explicit version involves two steps: first, it generates the reachable states, and next it represents those as a model in the PRISM input language, which is then passed to PRISM to finish the verification process. On the other hand, in the MTBDD/DDD and MTBDD/DBM versions, as they have already been partly integrated with PRISM, the overall checking process does not go through the PRISM input language: the tool constructs the target MDP models in MTBDDs and directly calls functions provided by PRISM. Here we only consider the algorithm performance and the number of states obtained from the experiments. The leftmost column of these tables gives the

11 Table 3. Verification of the full CSMA/CD model (max, backoff=1) Deadline States Time(Explicit) Time(Symbolic) MTBDD/DDD MTBDD/DBM Forward Construct. M.C. S.F.C. M.C. S.F.C. M.C Table 4. Verification of the full CSMA/CD model (min, backoff=1) Deadline States Time(Explicit) Time(Symbolic) MTBDD/DDD MTBDD/DBM Forward Construct. M.C. S.F.C. M.C. S.F.C. M.C different deadlines. The second column shows the number of symbolic states generated via the forward construction. The column S.F.C. refers to the symbolic forward and construction. The column M.C. refers to the computation time for model checking the given properties against the MDP model encoded as an MTBDD. The unit for all columns Time is seconds. Notice that there are three columns under the Explicit version: the first column represents the time taken to generate the reachable states and translate the model to the PRISM input language, while the second refers to model construction time by PRISM via explicit encoding. The times for model checking are nearly same for the three versions. We comment on the time spent on constructing MDP models encoded as MTBDDs via forward analysis. Compared to the explicit implementation, the symbolic encoding version based on DBMs has a significant advantage: the time spent on generating the MDP models is no longer a problem, since it took 110 seconds to perform both the forward construction and to generate the MDP in MTBDDs for the full model Impl p with deadline 9000 ns, whilst it took 3925 seconds to generate the MDP model alone with the same deadline with the explicit version. For the abstract model, the DDD-based version performs as well as the DBMbased one. However, for the full model Impl p, it is slower due to a large number of intermediate DDD nodes being generated, which forces the DDD run-time library to invoke garbage collection. The main reason is that DDDs have no canonical property. Memory. With regard to memory usage, we need to consider two kinds of usage for each symbolic state: the memory for the discrete part and the zone

12 Table 5. Memory consumption of the abstract model I p 1 with wire delay set to 360 ns Deadline Nodes Nodes Mem. (Zone) (Explicit) (Discrete) DDD DBM Peak Estimated Table 6. Memory consumption of the full model Impl p with wire delay set to 360 ns Deadline Nodes Nodes Mem. (Zone) (Explicit) (discrete) DDD DBM Peak Estimated part. In tables [5-8], the unit for all columns under Mem. is in kilo-bytes and the unit for all columns under Nodes is the number of the nodes in the MTBDD where each node occupies 20 bytes. Compared with the explicit version, both symbolic versions use more nodes. However, the chief contributor to the growth in the size of our symbolic data structures seems to be the fact that we do not exploit regularity in the zone representation because this first implementation allocates unique indices to zones in an arbitrary order which are then stored in the placeholders. The results of [9] show that such regularity exists and we have adapted this method and obtained preliminary results which will appear in the first author s coming thesis. We note that the symbolic versions are performing the generation of the state space dynamically at the same time as calculating the encoding, while the explicit version does not start to encode the MTBDD until the whole state

13 Table 7. Memory consumption of the full model CSMA (max, backoff=1) Deadline Nodes Nodes Mem. (Zone) (Explicit) (discrete) DDD DBM Peak Estimated Table 8. Memory consumption of the full model CSMA (min, backoff=1) Deadline Nodes Nodes Mem. (Zone) (Explicit) (discrete) DDD DBM Peak Estimated space is generated. We compare the memory usage on the zone part because those for the discrete part are the same for both symbolic versions. The memory consumption for DBMs is that actually used. For DDDs, we cannot give the actual memory consumption, and instead give both the estimated and peak time memory consumption. The column Estimated refers to an estimation of the memory consumption of all zones based on DDDs when reaching the fixed point. The column Peak refers to the highest value of memory consumption by DDDs when reaching the fixed point. The DBM-based representation uses less memory than the DDD-based representation. In practice, as shown in Table 6, the estimation of memory consumption for zones in DDDs is around 3-5 times as many as those in DBMs. However, compared with those by DBMs, the peak memory consumption of DDDs is huge, since DDDs use 1000 times more memory than DBMs for the full model Impl p with deadline 5000 ns means garbage collection occurred (DDD run-time library configuration with 800M). We note, however, that since non-convex zones arise in backward exploration it is difficult to predict how the representations will behave in the latter case. Scalability. In Table 9, the column Prod. const. is the time spent on parallel composition to build the product model and the column Encoding the time on encoding the product model into MTBDDs. In the case study of Milner s scheduler, which shows the scalability of our method and generates only five zones in total after the application of the forward algorithm, the result is not as good as those obtained with DDDs [17]. This is partly because the experimental nature of our implementation not only involves zone search but probability

14 Table 9. Verification of the Milner s scheduler with only one clock N Symbolic/Time Prob. Nodes Prod. const. Encoding S.F.C (Discrete) computation as well, and partly because the parallel composition of components is constructed explicitly and does not utilise the Kronecker approach [10] implemented in PRISM which is based on good heuristics for BDD variable ordering that can yield compact MTBDDs. 4 Conclusion We have proposed an MTBDD-based placeholder encoding method for model checking of probabilistic timed automata and implemented an experimental tool using the CUDD package. The timing information is represented as either DBMs or DDDs. Our method allows one to use other data structures, for example, CRDs [20] or CDDs [2], for representing the timing information. Future work will address the efficiency of the symbolic implementation presented in this paper, and in particular exploiting regularity in the zone graph, implementing Kronecker-based parallel composition of probabilistic timed automata, and augmenting PRISM with real-time clocks. Acknowledgements. We would like to thank the authors of the DDD library for letting us use their DDD implementation. We would also like to thank Gethin Norman and David Parker for helpful discussion. References 1. PRISM WebSite. dxp/prism/. 2. G. Behrmann, K. G. Larsen, J. Pearson, C. Weise, and W. Yi. Efficient timed reachability analysis using clock difference diagrams. In Proc. CAV 99, pages , London, UK, Springer-Verlag. 3. J. Bengtsson, W. Griffioen, K. Kristoffersen, K. Larsen, F. Larsson, P. Pettersson, and W. Yi. Automated verification of an audio-control protocol using UPPAAL. Journal of Logic and Algebric Programming, 52(3): , J. Bengtsson and W. Yi. Timed automata: Semantics, algorithms and tools. In 4th Advanced Course on Petri Nets, volume 3098 of LNCS, pages Springer, A. Bouajjani, S. Tripakis, and S. Yovine. On-the-fly symbolic model checking for real-time systems. In Proc. 18TH IEEE Real-Time Systems Symposium, pages 25 34, Los Alamitos, IEEE CS Press.

15 6. M. Bozga, C. Daws, O. Maler, A. Olivero, S. Tripakis, and S. Yovine. Kronos: A model-checking tool for real-time systems. In Proc. CAV 98, pages , London, UK, Springer-Verlag. 7. R. E. Bryant. Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput., C-35(8): , Aug E. Clarke, M. Fujita, P. McGeer, K. McMillan, J. Yang, and X. Zhao. Multiterminal binary decision diagrams: An efficient data structure for matrix representation. In Proc. IWLS 93, pages 1 15, Also available in Formal Methods in System Design, 10(2/3): , C. Daws, M. Kwiatkowska, and G. Norman. Automatic verification of the IEEE 1394 root contention protocol with KRONOS and PRISM. In Proc. 7th FMICS 02, volume 66.2 of Electronic Notes in Theoretical Computer Science. Elsevier, L. de Alfaro, M. Kwiatkowska, G. Norman, D. Parker, and R. Segala. Symbolic model checking of concurrent probabilistic processes using MTBDDs and the Kronecker representation. In Proc. 6th TACAS 00, volume 1785 of LNCS, pages Springer, H. Hermanns, M. Kwiatkowska, G. Norman, D. Parker, and M. Siegle. On the use of MTBDDs for performability analysis and verification of stochastic systems. Journal of Logic and Algebraic Programming, 56(1-2):23 67, M. Kwiatkowska, G. Norman, and D. Parker. Probabilistic symbolic model checking with PRISM: A hybrid approach. In Proc. 8th TACAS 02, volume 2280 of LNCS, pages Springer, M. Kwiatkowska, G. Norman, D. Parker, and J. Sproston. Performance analysis of probabilistic timed automata using digital clocks. In Proc. FORMATS 03, volume 2791 of LNCS, pages Springer-Verlag, M. Kwiatkowska, G. Norman, R. Segala, and J. Sproston. Automatic verification of real-time systems with discrete probability distributions. Theoretical Computer Science, 282: , M. Kwiatkowska, G. Norman, and J. Sproston. Probabilistic model checking of deadline properties in the IEEE 1394 FireWire root contention protocol. Special Issue of Formal Aspects of Computing, 14: , M. Kwiatkowska, G. Norman, J. Sproston, and F. Wang. Symbolic model checking for probabilistic timed automata. In Joint Conference on FORMATS and FTRTFT, volume 3253 of LNCS, pages Springer, J. Møller, J. Lichtenberg, H. R. Andersen, and H. Hulgaard. Fully symbolic model checking of timed systems using difference decision diagrams. In Workshop on Symbolic Model Checking, volume 23, The IT University of Copenhagen, Denmark, June S. A. Seshia and R. E. Bryant. A boolean approach to unbounded, fully symbolic model checking of timed automata. Technical Report CMU-CS , Carnegie Mellon University, F. Somenzi. CUDD: CU Decision Diagram Package Release, F. Wang. Efficient verification of timed automata with BDD-like data-structures. In Verification, model checking, and abstract interpretation, volume 2575 of LNCS, pages Springer, 2003.